You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Persistence via Startup with Low Occurrence Frequency by Unique Host
Metadata
Author: Elastic
Description: Leveraging frequency based analysis and path normalization, this hunt identifies rare instances where a program adds a Startup persistence via file creation. Startup entries cause programs to run each time that a user logs on and are often abused by adversaries to maintain persistence on an endpoint.
from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-*
| where @timestamp> now() -7 day
| wherehost.os.family =="windows"andevent.category=="file"andevent.actionin ("creation", "FileCreate") andfile.path rlike """(C:\\Users\\.+\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.+*|C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\.+)"""
| keep process.executable, host.id, file.name/* Paths normalization in registry.data.strings to ease aggregation */
| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\")
| stats number_hosts = count_distinct(host.id) by process_path, file.name
| where number_hosts ==1
Notes
Elastic Defend file event captures the process.code_signature information, this can be added to the hunt to limit to unsigned and Microsoft signed programs.
Unique file.name and limited to one agent is not necessarily malicious, however helps surface ones worth further investigation.
Suspicious process.executable paths and LOLBins should be reviewed further.